osquery-defense-kit/detection/c2/unexpected-https-client-lin...

276 lines
9.5 KiB
SQL

-- Unexpected programs communicating over HTTPS (state-based)
--
-- This query is a bit awkward and hobbled due to the lack of osquery support
-- for looking up binary signatures in Linux.
--
-- references:
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
--
-- tags: transient state net often
-- platform: linux
SELECT s.remote_address,
p.name,
p.cgroup_path,
p.path,
p.cmdline AS child_cmd,
p.cwd,
pp.path AS parent_path,
p.parent AS parent_pid,
pp.cmdline AS parent_cmd,
s.local_address,
s.local_port,
s.state,
hash.sha256,
-- This intentionally avoids file.path, as it won't join across mount namespaces
CONCAT (
MIN(p.euid, 500),
',',
REGEX_MATCH (p.path, '.*/(.*?)$', 1),
',',
MIN(f.uid, 500),
'u,',
MIN(f.gid, 500),
'g,',
p.name
) AS exception_key
FROM process_open_sockets s
LEFT JOIN processes p ON s.pid = p.pid
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN file f ON p.path = f.path
LEFT JOIN hash ON p.path = hash.path
WHERE protocol IN (6, 17)
AND s.remote_port = 443
AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
AND s.remote_address NOT LIKE 'fe80:%'
AND s.remote_address NOT LIKE '127.%'
AND s.remote_address NOT LIKE '192.168.%'
AND s.remote_address NOT LIKE '172.1%'
AND s.remote_address NOT LIKE '172.2%'
AND s.remote_address NOT LIKE '172.30.%'
AND s.remote_address NOT LIKE '172.31.%'
AND s.remote_address NOT LIKE '::ffff:172.%'
AND s.remote_address NOT LIKE '10.%'
AND s.remote_address NOT LIKE '::ffff:10.%'
AND s.remote_address NOT LIKE 'fc00:%'
AND p.path != ''
AND NOT exception_key IN (
'0,apk,u,g,apk',
'0,applydeltarpm,0u,0g,applydeltarpm',
'0,bash,0u,0g,bash',
'0,bash,0u,0g,mkinitcpio',
'0,bash,0u,0g,sh',
'0,chainctl,0u,0g,chainctl',
'0,cmake,u,g,cmake',
'0,containerd,u,g,containerd',
'0,dirmngr,0u,0g,dirmngr',
'0,dockerd,0u,0g,dockerd',
'0,flatpak-system-helper,0u,0g,flatpak-system-',
'0,git-remote-http,0u,0g,git-remote-http',
'0,kmod,0u,0g,depmod',
'0,launcher,0u,0g,launcher',
'0,launcher,500u,500g,launcher',
'0,ldconfig,0u,0g,ldconfig',
'0,nessusd,0u,0g,nessusd',
'0,nix,0u,0g,nix',
'0,nix,0u,0g,nix-daemon',
'0,packagekitd,0u,0g,packagekitd',
'0,pacman,0u,0g,pacman',
'0,python3.10,0u,0g,dnf',
'0,python3.10,0u,0g,dnf-automatic',
'0,python3.10,0u,0g,yum',
'0,python3.11,0u,0g,dnf',
'0,python3.11,0u,0g,dnf-automatic',
'0,python3.11,0u,0g,yum',
'0,rpi-imager,0u,0g,rpi-imager',
'0,snapd,0u,0g,snapd',
'0,tailscaled,0u,0g,tailscaled',
'0,tailscaled,500u,500g,tailscaled',
'0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'105,http,0u,0g,https',
'106,geoclue,0u,0g,geoclue',
'500,1password,0u,0g,1password',
'500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
'500,act,0u,0g,act',
'500,apk,500u,500g,apk',
'500,apko,500u,500g,apko',
'500,apko,u,g,apko',
'500,apk,u,g,apk',
'500,aws,0u,0g,aws',
'500,aws,500u,500g,aws',
'500,bom,500u,500g,bom',
'500,bom-linux-amd64,500u,500g,bom-linux-amd64',
'500,Brackets,0u,0g,Brackets',
'500,brave,0u,0g,brave',
'500,buildkitd,500u,500g,buildkitd',
'500,cargo,0u,0g,cargo',
'500,cargo,500u,500g,cargo',
'500,chainctl,0u,0g,chainctl',
'500,chainctl,500u,100g,chainctl',
'500,chainctl,500u,493g,chainctl',
'500,chainctl,500u,500g,chainctl',
'500,chrome,0u,0g,chrome',
'500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'500,code,0u,0g,code',
'500,code,500u,500g,code',
'500,containerd,u,g,containerd',
'500,cosign,500u,500g,cosign',
'500,cosign-linux-amd64,0u,0g,cosign',
'500,crane,0u,0g,crane',
'500,crane,500u,500g,crane',
'500,curl,0u,0g,curl',
'500,Discord,0u,0g,Discord',
'500,Discord,u,g,Discord',
'500,docker,0u,0g,docker',
'500,eksctl,0u,0g,eksctl',
'500,eksctl,500u,500g,eksctl',
'500,electron,0u,0g,electron',
'500,evolution-addressbook-factory,0u,0g,evolution-addre',
'500,evolution-calendar-factory,0u,0g,evolution-calen',
'500,firefox,0u,0g,firefox',
'500,firefox,0u,0g,.firefox-wrappe',
'500,firefox,0u,0g,Socket Process',
'500,flameshot,0u,0g,flameshot',
'500,flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
'500,flux,500u,500g,flux',
'500,geoclue,0u,0g,geoclue',
'500,gh,0u,0g,gh',
'500,git,0u,0g,git',
'500,git-remote-http,0u,0g,git-remote-http',
'500,gitsign,0u,0g,gitsign',
'500,gitsign,500u,0g,gitsign',
'500,gitsign,500u,500g,gitsign',
'500,gitsign-credential-cache,500u,500g,gitsign-credent',
'500,gjs-console,0u,0g,org.gnome.Maps',
'500,gnome-recipes,0u,0g,gnome-recipes',
'500,gnome-shell,0u,0g,gnome-shell',
'500,gnome-software,0u,0g,gnome-software',
'500,go,0u,0g,go',
'500,go,500u,500g,go',
'500,goa-daemon,0u,0g,goa-daemon',
'500,go,u,g,go',
'500,grafana,u,g,grafana',
'500,grype,0u,0g,grype',
'500,grype,500u,500g,grype',
'500,gsd-datetime,0u,0g,gsd-datetime',
'500,gvfsd-google,0u,0g,gvfsd-google',
'500,gvfsd-http,0u,0g,gvfsd-http',
'500,helm,0u,0g,helm',
'500,htop,0u,0g,htop',
'500,hugo,500u,500g,hugo',
'500,io.elementary.appcenter,0u,0g,io.elementary.a',
'500,istioctl,500u,500g,istioctl',
'500,java,0u,0g,java',
'500,java,500u,500g,java',
'500,java,u,g,java',
'500,jcef_helper,500u,500g,jcef_helper',
'500,jetbrains-toolbox,u,g,jetbrains-toolb',
'500,kbfsfuse,0u,0g,kbfsfuse',
'500,keybase,0u,0g,keybase',
'500,Keybase,0u,0g,Keybase',
'500,ko,500u,500g,ko',
'500,ko,u,g,ko',
'500,kpromo,500u,500g,kpromo',
'500,krel,500u,500g,krel',
'500,kubectl,0u,0g,kubectl',
'500,kubectl,500u,500g,kubectl',
'500,lens,0u,0g,lens',
'500,limactl,0u,0g,limactl',
'500,mconvert,500u,500g,mconvert',
'500,melange,500u,500g,melange',
'500,melange,u,g,melange',
'500,Melvor Idle,500u,500g,exe',
'500,minikube,0u,0g,minikube',
'500,nautilus,0u,0g,nautilus',
'500,nerdctl,500u,500g,nerdctl',
'500,nix,0u,0g,nix',
'500,node,0u,0g,node',
'500,node,0u,0g,.node2nix-wrapp',
'500,node,u,g,node',
'500,obs,0u,0g,obs',
'500,obs-browser-page,0u,0g,obs-browser-pag',
'500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
'500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux',
'500,obsidian,u,g,obsidian',
'500,obs,u,g,obs',
'500,pacman,0u,0g,pacman',
'500,php8.1,0u,0g,php',
'500,pingsender,0u,0g,pingsender',
'500,packer-plugin-proxmox_v1.1.2_x5.0_linux_amd64,500u,500g,packer-plugin-p',
'500,promoter,500u,500g,promoter',
'500,publish-release,500u,500g,publish-release',
'500,python3,0u,0g,python3',
'500,python3.10,0u,0g,aws',
'500,python3.10,0u,0g,python',
'500,python3.10,0u,0g,python3',
'500,python3.11,0u,0g,gnome-abrt',
'500,python3.11,0u,0g,protonvpn',
'500,python3.11,0u,0g,prowler',
'500,python3,500u,500g,python3',
'500,python.test,500u,500g,python.test',
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
'500,reporter-ureport,0u,0g,reporter-urepor',
'500,rpi-imager,0u,0g,rpi-imager',
'500,rustup,0u,0g,rustup',
'500,scoville,500u,500g,scoville',
'500,signal-desktop,0u,0g,signal-desktop',
'500,signal-desktop,u,g,signal-desktop',
'500,slack,0u,0g,slack',
'500,slack,u,g,slack',
'500,k6,500u,500g,k6',
'500,slirp4netns,0u,0g,slirp4netns',
'500,slirp4netns,500u,500g,slirp4netns',
'500,snap-store,0u,0g,snap-store',
'500,spotify,0u,0g,spotify',
'500,spotify,500u,500g,spotify',
'500,stern,500u,500g,stern',
'500,spotify,u,g,spotify',
'500,steam,500u,100g,steam',
'500,steam,500u,500g,steam',
'500,steamwebhelper,500u,100g,steamwebhelper',
'500,steamwebhelper,500u,500g,steamwebhelper',
'500,step,500u,500g,step',
'500,step-cli,0u,0g,step',
'500,syncthing,0u,0g,syncthing',
'500,teams,0u,0g,teams',
'500,terraform,0u,0g,terraform',
'500,terraform,500u,500g,terraform',
'500,thunderbird,0u,0g,thunderbird',
'500,thunderbird,u,g,thunderbird',
'500,tilt,500u,500g,tilt',
'500,todoist,0u,0g,todoist',
'500,trivy,0u,0g,trivy',
'500,trivy,500u,500g,trivy',
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'500,wget,0u,0g,wget',
'500,wolfictl,500u,500g,wolfictl',
'500,WPILibInstaller,500u,500g,WPILibInstaller',
'500,xmobar,0u,0g,xmobar',
'500,yay,0u,0g,yay',
'500,zdup,500u,500g,zdup',
'500,zoom,0u,0g,zoom',
'500,zoom.real,u,g,zoom.real',
'80,6,500,python3.11,0u,0g,yum',
'88,6,500,syncthing,0u,0g,syncthing'
) -- Exceptions where we have to be more flexible for the process name
AND NOT exception_key LIKE '500,node,0u,0g,npm exec %'
AND NOT exception_key LIKE '500,node,0u,0g,npm install %'
AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%'
AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi' -- stay weird, NixOS (Fastly nix mirror)
AND NOT (
pp.cmdline = '/run/current-system/sw/bin/bash'
AND p.path LIKE '/nix/store/%'
AND s.remote_address LIKE '151.101.%'
AND s.state = 'ESTABLISHED'
)
AND NOT (
exception_key LIKE '500,%,500u,500g,%'
AND p.path LIKE '/tmp/go-build%/exe/%'
)
AND NOT (
exception_key = '0,curl,0u,0g,curl'
AND p.cmdline = 'curl --fail https://ipinfo.io/timezone'
) -- Exclude processes running inside of containers
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
AND NOT p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%' -- Tests
AND NOT p.path LIKE '/tmp/go-build%.test'
GROUP BY p.cmdline